TL;DR
Authentication (often called "auth") is how your app verifies who a user is. It's the login process. When someone enters their email and password, your app checks if those credentials match a real account. Authentication answers the question "Who are you?" while authorization (a separate concept) answers "What can you do?"
The Simple Explanation
Think of authentication like checking ID at the door of a club. The bouncer doesn't care what you want to do inside. They just need to confirm you are who you claim to be before letting you in.
In your app, authentication happens when users:
- Log in with email and password
- Sign in with Google, GitHub, or other social providers
- Click a magic link sent to their email
- Enter a code from an authenticator app
Authentication vs Authorization
These two terms get confused constantly, but they're different:
- Authentication: Who are you? (happens at login)
- Authorization: What can you do? (happens on every action)
Memory trick: AutheNtication = "Who am I?" (N for Name). AuthoriZation = "What can I do?" (Z for Zone/Access zone).
Common Authentication Methods
Password-Based
The classic approach. Users create a password when signing up, then enter it to log in. Simple but has drawbacks: users pick weak passwords, reuse them across sites, and forget them.
Social Login (OAuth)
Let users log in with Google, GitHub, or other providers. You don't store passwords at all. The provider handles authentication, and you get a token confirming the user's identity.
Magic Links
Email the user a one-time login link. When they click it, they're authenticated. No password to remember. Slack and Notion use this approach.
Two-Factor Authentication (2FA)
Requires two forms of proof: something you know (password) plus something you have (phone). Even if a password is stolen, attackers can't get in without the second factor.
Why Authentication Matters
Broken authentication is consistently in the OWASP Top 10 security risks. Common problems include:
- Credential stuffing: Attackers try leaked username/password combos from other breaches
- Brute force: Automated attempts to guess passwords
- Session hijacking: Stealing logged-in session tokens
- Missing rate limiting: Allowing unlimited login attempts
Authentication Services for Vibe Coders
Building authentication from scratch is complex and risky. Most apps should use a service:
- Clerk: Beautiful UI, easy setup
- Supabase Auth: Already using Supabase
- Auth0: Enterprise features
- NextAuth.js: Next.js apps, self-hosted
- Firebase Auth: Already using Firebase
What is the difference between authentication and authorization?
Authentication verifies WHO you are (login). Authorization determines WHAT you can do (permissions). Authentication comes first, then authorization. For example, logging in is authentication. Being able to delete posts because you're an admin is authorization.
What are the most common authentication methods?
Common methods include passwords, social login (Google, GitHub), magic links (email-based), two-factor authentication (2FA), and biometrics. Many apps combine methods for stronger security, like password plus 2FA.
Should I build authentication myself or use a service?
For most apps, use an authentication service like Clerk, Auth0, Supabase Auth, or NextAuth.js. Building auth correctly is complex and security-critical. Services handle password hashing, session management, and security updates so you can focus on your product.